[Openvpn-devel,4/8,OSSL,3.0] Remove DES check with OpenSSL 3.0

Message ID 20210919162956.695496-4-arne@rfc2549.org
State Superseded
Headers show
Series
  • [Openvpn-devel,1/8,OSSL,3.0] Use new EVP_MAC API for HMAC implementation
Related show

Commit Message

Arne Schwabe Sept. 19, 2021, 4:29 p.m.
DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
---
 src/openvpn/crypto_openssl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b4c59557b..9df6da02c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -522,6 +522,11 @@  key_des_num_cblocks(const EVP_CIPHER *kt)
 bool
 key_des_check(uint8_t *key, int key_len, int ndc)
 {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    /* DES is deprecated and the method to even check the keys is deprecated
+     * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys
+     * we just accept them in OpenSSL 3.0 since the risk of randomly getting
+     * these is pretty weak */
     int i;
     struct buffer b;
 
@@ -554,6 +559,9 @@  key_des_check(uint8_t *key, int key_len, int ndc)
 err:
     ERR_clear_error();
     return false;
+#else
+    return true;
+#endif
 }
 
 void